A new malware dubbed KeRanger or OSX.Kreanger has surfaced and appears to be the first ransomware to target the Mac OS X operating system.

KeRanger was briefly distributed in a compromised version of the installer for the Transmission BitTorrent client. Mac OS X users who downloaded Transmission on 4 March and 5 March 2016 may be at risk of being compromised.

The malware was signed with a valid Mac Developer ID, which meant that it could bypass OS X's Gatekeeper feature, which is designed to block software from untrusted sources. Apple has since revoked the Developer ID used by KeRanger.

Security experts Symantec said once the malware is installed, it will search for roughly 300 different file types and encrypt any it finds. The malware will then display a ransom message, demanding that the victim pay one bitcoin, approximately US$408, and the payment is made using a website on the anonymous Tor network.

Symantec also added that given the popularity of Apple devices, it was only a matter of time before the emergence of ransomware affecting Mac OS X appeared. There had been instances of malicious websites targeting Safari for Mac OS X users but in these cases, the sites used JavaScript to cause Safari to display persistent pop-ups, informing the user that their browser had been "locked" by the FBI for viewing illegal content. However no malware specifically targeting Mac OS X had appeared before now.

Company Articles

In November 2015, a proof-of-concept (PoC) threat known as Mabouia was developed by Brazilian cybersecurity researcher Rafael Salema Marques, who highlighted the fact that Macs may not be immune to the threat of ransomware.

Marques shared a sample of the ransomware with Symantec and Apple. Symantec's analysis confirmed that the PoC was functional. While the threat could be used to create functional Mac OS X crypto ransomware if it fell into the wrong hands, Marques said he has no intention of publicly releasing the malware.